On 28 Jan 2016, at 00:06, Andreas Krey <a.krey@gmx.de> wrote:
(It also occurred to me that you don't actually need to be the clearservice org to be able to set up an onion for them, as long as there is no https enforced/needed on the onion side.)
Yes, which is a bit of a security nightmare.
Malicious onion sites proxying clearnet or onion sites is a known issue.